Impact Analysis

This vulnerability allows any unauthenticated attacker to retrieve direct playable URLs for all password-protected videos, completely bypassing the password requirement.

Attackers can enumerate which videos are password-protected and then directly access and download the video content without authorization.

This compromises the confidentiality of protected video content across all API consumers, including mobile apps and third-party integrations, potentially leading to unauthorized distribution or exposure of sensitive videos.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-34369 is a moderate severity vulnerability in the WWBN AVideo platform (versions up to 26.0) where the API endpoints `get_api_video_file` and `get_api_video` return full video playback sources for password-protected videos without verifying the video password.

While the normal web playback flow enforces password checks, this enforcement is missing in the API code path. As a result, an unauthenticated attacker can call these API endpoints directly to retrieve direct playback URLs (such as MP4 URLs and HLS manifests) for any password-protected video without needing the password.

This happens because the API endpoints perform access checks related to admin status, video active status, ownership, and plugin restrictions, but do not verify the video password protection. The vulnerability allows bypassing the intended password protection mechanism.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the API endpoints `get_api_video_file` and `get_api_video` for password-protected videos without providing a password and observing if direct video playback URLs are returned.

• Use the video list API to identify videos with the `video_password` field set, indicating password protection.
• Call the `get_api_video_file` endpoint with the video ID of a password-protected video without supplying a password parameter.
• If the API returns direct MP4 URLs or HLS manifests without requiring a password, the vulnerability is present.
• Example command using curl to test the vulnerability: `curl 'https://your-avideo-instance/api/get_api_video_file?video_id=PASSWORD_PROTECTED_VIDEO_ID'`

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves applying the patch that enforces password verification on the vulnerable API endpoints.

• Update the AVideo platform to a version including the fix (commit be344206f2f461c034ad2f1c5d8212dd8a52b8c7 or later).
• Ensure that the `get_api_video_file` and `get_api_video` endpoints verify the video password before returning playback URLs or sources.
• If immediate patching is not possible, restrict access to the API endpoints via network controls or authentication mechanisms to prevent unauthenticated access.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthenticated attackers to bypass password protection and access direct playback URLs for password-protected videos. Such unauthorized access to protected content can lead to confidentiality breaches.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, unauthorized access to protected video content could potentially violate data protection and privacy requirements under these regulations, especially if the videos contain personal or sensitive information.

Therefore, this vulnerability undermines the effectiveness of access controls, which are critical for maintaining compliance with common security and privacy standards.

Useful 0 Not Useful 0